7.6 High
CVSS2
Attack Vector
NETWORK
Attack Complexity
HIGH
Authentication
NONE
Confidentiality Impact
COMPLETE
Integrity Impact
COMPLETE
Availability Impact
COMPLETE
AV:N/AC:H/Au:N/C:C/I:C/A:C
0.001 Low
EPSS
Percentile
25.4%
Dell BIOS in some older Latitude laptops and Precision Mobile Workstations are vulnerable to buffer overflows (CWE-119), which can bypass the signed BIOS enforcement standard.
CWE-119:** Improper Restriction of Operations within the Bounds of a Memory Buffer**
Dell BIOS in some older Latitude laptops and Precision Mobile Workstations is vulnerable to buffer overflows in the rbu_packet.pktNum
and rbu_packet.pktSize
values. These values can be set by an attacker while performing an illegitimate BIOS update. The BIOS reads these values when reconstructing the BIOS image, before any signature check occurs.
More information is available from the BIOS Security presentation at Black Hat USA 2013.
By convincing a user with root or administrative privileges to execute a malicious BIOS update, an attacker can bypass the signed BIOS enforcement to install an arbitrary BIOS image that could contain a rootkit or malicious code that persists across operating system re-installations and official BIOS updates.
Apply an Update
Dell has released updated BIOS versions for the affected Latitude and Precision systems that can be downloaded from their support site. Dell has provided the following list of fixed BIOS versions:
Latitude D530 8/22/2013 A12
Latitude D531 7/16/2013 A12
Latitude D630 7/16/2013 A19
Latitude D631 7/26/2013 A12
Latitude D830 7/16/2013 A17
Precision M2300 7/16/2013 A11
Precision M4300 7/16/2013 A17
Precision M6300 7/16/2013 A15
Latitude E5400 7/16/2013 A19
Latitude E5500 7/16/2013 A19
Latitude E4200 7/16/2013 A24
Latitude E4300 7/16/2013 A26
Latitude E6400 7/16/2013 A34
Latitude E6400 ATG 7/16/2013 A34
Latitude E6400 / ATG / XFR 7/16/2013 A34
Latitude XT2 7/18/2013 A15
Latitude E6500 7/16/2013 A29
Latitude Z600 7/16/2013 A11
Precision M2400 7/16/2013 A28
Precision M4400 7/16/2013 A29
Precision M6400 7/16/2013 A13
Precision M6500 7/18/2013 A10`
912156
Filter by status: All Affected Not Affected Unknown
Filter by content: __ Additional information available
__ Sort by: Status Alphabetical
Expand all
Javascript is disabled. Click here to view vendors.
Notified: July 11, 2013 Updated: August 22, 2013
Affected
We have not received a statement from the vendor.
Dell provided the following list of fixed BIOS versions:
Latitude D530 8/22/2013 A12
Latitude D531 7/16/2013 A12
Latitude D630 7/16/2013 A19
Latitude D631 7/26/2013 A12
Latitude D830 7/16/2013 A17
Precision M2300 7/16/2013 A11
Precision M4300 7/16/2013 A17
Precision M6300 7/16/2013 A15
Latitude E5400 7/16/2013 A19
Latitude E5500 7/16/2013 A19
Latitude E4200 7/16/2013 A24
Latitude E4300 7/16/2013 A26
Latitude E6400 7/16/2013 A34
Latitude E6400 ATG 7/16/2013 A34
Latitude E6400 / ATG / XFR 7/16/2013 A34
Latitude XT2 7/18/2013 A15
Latitude E6500 7/16/2013 A29
Latitude Z600 7/16/2013 A11
Precision M2400 7/16/2013 A28
Precision M4400 7/16/2013 A29
Precision M6400 7/16/2013 A13
Precision M6500 7/18/2013 A10`
Group | Score | Vector |
---|---|---|
Base | 6.2 | AV:L/AC:H/Au:N/C:C/I:C/A:C |
Temporal | 4.9 | E:POC/RL:OF/RC:C |
Environmental | 3.7 | CDP:ND/TD:M/CR:ND/IR:ND/AR:ND |
Thanks to Corey Kallenberg, John Butterworth, and Xeno Kovah of the MITRE Corporation for reporting this vulnerability. Thanks also to Rick Martinez from Dell.
This document was written by Adam Rauf.
CVE IDs: | CVE-2013-3582 |
---|---|
Date Public: | 2013-08-15 Date First Published: |